Category
stayInformed
Severity
normal
Major change
False
Last modified
2026-05-18 22:43:48
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-04-20 00:00:00
Services
Microsoft Purview
Tags
Updated message, New feature, User impact, Admin impact
Master tags
Admin, Security
Roadmap IDs
558547
One-line summary
Endpoint DLP events will become queryable in Data Security Investigations in Microsoft Purview, enabling AI-powered analysis and investigation of DLP activity for admins and security teams.
Similar updates
More like thisMC1187394 Microsoft Purview compliance portal: Data Security Investigations – Introducing new AI analysis capabilities
Microsoft Purview compliance portal: Data Security Investigations – Introducing new AI analysis capabilities Microsoft Purview Data Security Investigations adds AI-powered analysis and natural language search, enhancing investigative context, vector search, and content categorization. Features avail... [Introduction] Microsoft Purview compliance.
MC1047912 (Updated) Microsoft Purview: New Purview Data Security Investigations (DSI) solution
(Updated) Microsoft Purview: New Purview Data Security Investigations (DSI) solution Microsoft Purview Data Security Investigations (DSI), an AI-powered tool for deep data security analysis and incident response, will reach general availability starting October 2025. Updated ... Microsoft Purview Data Security Investigations (DSI) is a new.
MC1199763 Microsoft Purview | Data Security Investigations – Introducing new purge mitigation action
Microsoft Purview | Data Security Investigations – Introducing new purge mitigation action Microsoft Purview Data Security Investigations adds a purge action for admins to quickly delete sensitive or overshared content during investigations, available by default and respecting existing policies. [Introduction] We’re introducing a new purge.
MC1181277 Endpoint Data Loss Prevention: Always-on diagnostics for Windows Endpoints (Phase 2)
Endpoint Data Loss Prevention: Always-on diagnostics for Windows Endpoints (Phase 2) Always-on diagnostics for Windows endpoints lets admins retrieve and upload diagnostic traces via Purview for faster DLP investigations, with no user disruption. [Introduction] To support faster, more seamless investigations, Microsoft is introducing Always-on.
MC1182008 Microsoft Purview: Inline protection for sensitive data shared over the network with non-Microsoft SASE integrations
Microsoft Purview: Inline protection for sensitive data shared over the network with non-Microsoft SASE integrations Purview DLP integrates with iboss and Netskope SASE platforms to inspect and protect inline web traffic, extending DLP to unmanaged cloud apps and generative AI, starting mid-November 2025. Microsoft Purview Data Loss Prevention.
MC1041756 (Updated) Microsoft Purview: IRM RBAC Change (related to Data Security Investigations) Preview
(Updated) Microsoft Purview: IRM RBAC Change (related to Data Security Investigations) Preview A new Data Security Investigation Contributor role is added to Purview Insider Risk Management, enabling investigators to launch AI-powered data security investigations from IRM cases. Updated October 7, 2025: We have updated the ... DSI is a new.
Details
RoadmapIds
558547
Summary
Microsoft Purview’s Data Security Investigations (DSI) will integrate endpoint Data Loss Prevention (DLP) events as a queryable data source, enabling admins to analyze associated files automatically. Rollout begins early June 2026 with no user impact or required admin action. This enhances investigation efficiency using AI tools.
Platforms
Web
Body (from Message Center)
Updated May 18, 2026: We have updated the timeline. Thank you for your patience.
[Introduction]
We’re introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios.
This message is associated with Microsoft 365 Roadmap ID 558547.
[When this will happen]
- Public Preview: Rollout begins in early June 2026 (previously late April) and completes in early June 2026 (previously mid‑May).
- General Availability (Worldwide): Rollout begins in mid-June 2026 (previously mid‑May) and completes in mid-June 2026 (previously mid‑May).
[How this will affect your organization]
Who is affected
Admins and security investigators using Data Security Investigations (DSI) and endpoint Data Loss Prevention (DLP) in the Microsoft Purview compliance portal.
What will happen
- A new Endpoint DLP tab will appear in the DSI search experience, alongside the existing Query Builder and Audit tabs.
- Admins and investigators can query endpoint DLP events using date range filters (additional filters coming soon).
- Files associated with matching endpoint DLP events will be automatically added to the investigation scope for analysis using DSI’s AI‑powered tools.
- This feature will appear automatically for eligible tenants when rollout completes. No admin action is required to enable it.
- There is no user impact.
[What you can do to prepare]
No action is required. Optionally, you may:
- Review how endpoint DLP query capabilities work within DSI.
- Update internal documentation for alert triage and investigation workflows, if applicable.
- Inform security teams and endpoint DLP administrators about this new capability.
Learn more:
- Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn
- Learn about Endpoint data loss prevention | Microsoft Purview | Microsoft Learn
[Compliance considerations]
| Question | Answer |
| Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Endpoint DLP event data becomes queryable in DSI, and associated files are automatically collected into investigations for analysis. |
| Does the change introduce or significantly modify AI/ML capabilities that interact with customer data? | Yes. DSI’s existing AI‑assisted investigation tools will now analyze files gathered through endpoint DLP queries. |
| Does the change modify how admins can monitor, report on, or demonstrate compliance activities? | Yes. Admins gain new ways to surface, query, and analyze endpoint DLP signals within DSI. |
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-04-20T00:00:00Z",
"ai_actions": [
"Review endpoint DLP query features in DSI",
"Update internal investigation procedures",
"Inform security/endpoint DLP admins"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Endpoint DLP events will become queryable in Data Security Investigations in Microsoft Purview, enabling AI-powered analysis and investigation of DLP activity for admins and security teams.",
"ai_topics": [
"Purview"
],
"category": "stayInformed",
"details_map": {
"Platforms": "Web",
"RoadmapIds": "558547",
"Summary": "Microsoft Purview\u2019s Data Security Investigations (DSI) will integrate endpoint Data Loss Prevention (DLP) events as a queryable data source, enabling admins to analyze associated files automatically. Rollout begins early June 2026 with no user impact or required admin action. This enhances investigation efficiency using AI tools."
},
"id": "MC1258000",
"importance": 4,
"is_major_change": false,
"last_modified": "2026-05-18T22:43:48Z",
"ms_products": [
"Purview"
],
"platforms": "Web",
"roadmap_ids": [
"558547"
],
"services": [
"Microsoft Purview"
],
"severity": "normal",
"tags": [
"Updated message",
"New feature",
"User impact",
"Admin impact"
],
"title": "(Updated) Microsoft Purview: Data Security Investigations \u2013 analyze files tied to endpoint DLP alerts"
}
}